Facebook Login Thieves Now Using Browser-in-browser Trick 2026

Hackers over the past six months have relied increasingly more on the browser-in-the-browser (BitB) method to trick users into providing Facebook account credentials.

The BitB phishing technique was developed by security researcher mr.d0x in 2022. Cybercriminals later adopted it in attacks targeting various online services, including Facebook and Steam.

Trellix researchers monitoring malicious activity say that threat actors steal Facebook accounts to spread scams, harvest personal data, or commit identity fraud. With more than three billion active users, the social network is still a prime target for fraudsters.

In a BitB attack, users who visit attacker-controlled webpages are presented with a fake browser pop-up containing a login form.

The pop-up is implemented using an iframe that imitates the authentication interface of legitimate platforms and can be customized with a window title and URL that make the deception more difficult to detect.

According to Trellix, recent phishing campaigns targeting Facebook users impersonate law firms claiming copyright infringement, threatening imminent account suspension, or Meta security notifications about unauthorized logins.

To avoid detection and to increase the sense of legitimacy, cybercriminals added shortened URLs and fake Meta CAPTCHA pages.

In the final stage of the attack, victims are prompted to log in by entering their Facebook credentials in a fake pop-up window.

These campaigns constitute a significant evolution compared to standard Facebook phishing campaigns that security researchers typically observe.

"The key shift lies in the abuse of trusted infrastructure, utilizing legitimate cloud hosting services like Netlify and Vercel, and URL shorteners to bypass traditional security filters and lend a false sense of security to phishing pages," reads the Trellix report.

Source: BleepingComputer